From c8102cafbeb19f98549c2c7c969a7accb75ab203 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= <cyplo@cyplo.net>
Date: Sun, 16 Feb 2020 09:23:31 +0000
Subject: [PATCH] hardened

---
 nixos/boot.nix   | 1 -
 nixos/common.nix | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/nixos/boot.nix b/nixos/boot.nix
index 8a582e0a..b37a25ce 100644
--- a/nixos/boot.nix
+++ b/nixos/boot.nix
@@ -11,7 +11,6 @@
       "kernel.dmesg_restrict" = true;
       "kernel.unprivileged_bpf_disabled" = true;
       "kernel.unprivileged_userns_clone" = 1;
-      "net.core.bpf_jit_enable" = pkgs.lib.mkDefault false;
       "net.core.bpf_jit_harden" = true;
     };
     loader.grub = {
diff --git a/nixos/common.nix b/nixos/common.nix
index 30fe80d8..e6e2595f 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -6,6 +6,7 @@ in
   {
     imports =
       [
+        <nixpkgs/nixos/modules/profiles/hardened.nix>
         ./vscode.nix
         ./syncthing.nix
         ./gsconnect.nix
@@ -14,6 +15,8 @@ in
         ./vim.nix
       ];
 
+      security.allowUserNamespaces = true;
+
       nixpkgs.config = {
         allowUnfree = true;
         packageOverrides = pkgs: {